Overview

overview

10

Static

static

10

28a864872e...9f.exe

windows7-x64

10

28a864872e...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/05/2024, 19:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    28a864872ebdc9d8f5e7f8fe0251884ef8b554b38314af53999b80049f09229f.exe

  • Size

    64KB

  • MD5

    6efc1dfe929aafdd978bcff59b2f3410

  • SHA1

    b8b7d7191aa197040282b5d9a303e4d3b3079eff

  • SHA256

    28a864872ebdc9d8f5e7f8fe0251884ef8b554b38314af53999b80049f09229f

  • SHA512

    fc7daaa75a338ee4f044813363f4144d81b796080cd8b54b7fc1daa147197fd8d84783618c41d99b1790f341da3dd194bdef12cf0af0072ff0c0720a71355fe6

  • SSDEEP

    768:+MEIvFGvZEr8LFK0ic46N47eSdYAHwmZwSp6JXXlaa5uA:+bIvYvZEyFKF6N4yS+AQmZcl/5

Score
10/10
neconydtrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28a864872ebdc9d8f5e7f8fe0251884ef8b554b38314af53999b80049f09229f.exe
    "C:\Users\Admin\AppData\Local\Temp\28a864872ebdc9d8f5e7f8fe0251884ef8b554b38314af53999b80049f09229f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          PID:2576

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Roaming\omsecor.exe
          Filesize

          64KB

          MD5

          93309408be95b9b65d081f99761970ca

          SHA1

          d85609d0da74e28400eab391c7132c75ba5e6f67

          SHA256

          abc5df428be2242d96892e7d4cf263d27c111b2618f9619ef0c4ba887c37a7d4

          SHA512

          278bb3b993d38e373c860e6b9ddfc27a37b6c7ac7f1a2503169cd301988a546ccb9d6a68a44f310ab4671ab4a4da71f9ce2570cc125702b6505d162ce65858a0

          Download Submit

        • \Users\Admin\AppData\Roaming\omsecor.exe
          Filesize

          64KB

          MD5

          0c2d671058ac1b0205de507bff900c9c

          SHA1

          df8228de427cebf6bf1c4681746c211b5051bc32

          SHA256

          194fd83a84bbb75f5f605e353a9bb5a0dbef107755c80fff94e8e997bbf98c2a

          SHA512

          ce02f912a7ff171b37357a9cbf1c95ce2d5d7ca1508c2c56fe960f017b87e55826a7de457a34bb05da8f88d359ec90c7e3325aad27370cd2a2b4d47c69fc2298

          Download Submit

        • \Windows\SysWOW64\omsecor.exe
          Filesize

          64KB

          MD5

          7f873a27a3587c701092ca56df92c801

          SHA1

          9874a7d641e0cd088aaea1a21401955d64c7f8dd

          SHA256

          c1c7b68f205d5ac7739457a0bdee026a7b379b97050a2ed885d78aaa70719d74

          SHA512

          fb7852d3e5b6e3147e2b6909e14c10b78e4de5895f7461cf342943e75d460e738d9ed0f6d0368be833d7ea468e6396bce2d54f7988f3f807d346bdfcb1274553

          Download Submit